Computer Sabotage: An Insider Threat

According to recent research, employees and contractors are perpetrating more cyber security attacks than ever to harm organizations intentionally.

Computer security threats have challenged IT management, administrators, and auditors since the beginning of the high-tech age. Although much has been published on external threats, such as viruses, worms, and hackers, statistics are not as clear regarding the prevalence of cases perpetrated by insiders.

To help organizations gain a better understanding of insider risks, the CERT Coordination Center released its Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. The goal of the study, conducted in coordination with the U.S. Secret Service National Threat Assessment Center, was to address insider threat from a human resources, corporate security, and information security perspective. The study focused on user intent to misuse computer resources to harm organizations.

In the study, researchers reviewed 49 cases of computer sabotage perpetrated by insider activities that caused a financial loss to the organization, negatively impacted business operations, or damaged the organization’s reputation. The cases involved current or former employees or contractors who intentionally misused or exceeded authorized access to systems data. In addition, the cases included incidents in which there were unauthorized attempts to view, disclose, retrieve, delete, change, or compromise information.

FOCUS ON DETECTION AND PREVENTION

Researchers reviewed details of the cases under investigation, focusing on incident detection and insider identification. Information was reviewed about pre-incident planning and communication; nature of harm to the organization; law enforcement and organizational response; and insider background, history, technical expertise, and interests.

Some of the key findings in the study included:

Preparation

  • A negative work-related event triggered most insiders’ actions.
  • The majority of insiders planned their activities in advance.
  • The majority of insiders compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks.
  • Remote access was used to conduct the majority of attacks.
  • The majority of attacks were accomplished using company computer equipment.

Detection

Most of the insider attacks were detected when there was a noticeable irregularity in the data system, or systems became unavailable. For example:

  • System logs were the most prevalent means to identify insiders.
  • Most insiders took steps to conceal their identities and activities.
  • Most of the incidents were detected by nonsecurity personnel.
  • In many cases, forensic examinations were used to identify the insider and gather supporting evidence.

Study results found that in 80 percent of the cases reviewed, a supervisor, coworker, or subordinate observed concerning or inappropriate behavior by the perpetrator prior to the incident, such as excessive tardiness, truancy, arguments with coworkers, or poor job performance. In 31 percent of the cases studied, the insider had a record of disciplinary actions within the organization prior to the incident.

The study also found that 58 percent of the insiders communicated their negative feelings to others (coworkers, family, and friends) by revealing their grievances either verbally or through e-mail. In 20 percent of the cases, the insider made a direct threat about harming the organization or an individual. In addition, in 62 percent of the cases, insiders had developed plans to perpetrate the incident, such as stealing backup copies, sabotaging backup processes, or installing backdoor access to secured accounts. In 37 percent of the cases, the insider’s planning activity was noticeable, either online or offline.

RED FLAGS TO WATCH

As with any process, policies and procedures are effective only when they are monitored and enforced adequately. Risk and control awareness by employees, supervisors, and internal auditors can help deter insider threats similar to those reviewed in the following study cases.

Sharing account passwords. A shared account used to manage a company’s voicemail system required a password for administrative access. Because the company overlooked changing the password to the account upon termination of one of its employees, the disgruntled ex-employee was able to access the account remotely and made changes that directed certain customers to a pornographic telephone service.

In another incident, an employee who had privileged access to an application used to maintain client Web sites was terminated and his access disabled upon termination. Because department employees occasionally shared their passwords among the team for testing purposes, he was able to log into the application by using his supervisor’s username and password, and make malicious, embarrassing changes to client Web sites.

Unprotected screensavers. A contractor, who was not escorted when visiting an organization’s network operations center, was able to access consoles that were left logged on without password-protected screensavers. He then deleted system files, a database, and all software from three of the company’s servers.

Premise access to terminated employees. An insider with system administrator privileges was terminated from a research project that used a single, stand-alone computer to document data. Although the employee’s access card to the building was disabled immediately, he returned to the office after working hours, where another employee let him into the building who believed the “employee’s” access card had malfunctioned. The insider then deleted research data the office had been working on for 18 months.

Inadequate separation of duties. A programmer was given system administrator access, although system administration was not his responsibility. He used that access to plant a logic bomb on the organization’s network that interrupted customer access to the organization’s systems.

Noncompliance with two-person rule. When the sole system administrator of an organization was terminated without warning, he initially refused to divulge the system administrator passwords. Prior to leaving the building, he changed the passwords for all user accounts preventing anyone in the organization from logging into the company’s systems. He also changed the IP address of the Web server so no one could access the organization’s Web site. Furthermore, after revealing the administrator passwords to the organization two days later, he remotely accessed a backdoor account he previously created to run a password sniffer on the organization’s network, which enabled him to obtain a list of employee passwords.

Absence of procedural and technical controls for system administrators. Management disabled access to a network administrator’s computer and remote access accounts after he was reprimanded for behavioral issues. When returning to work the next day, the disgruntled employee gained physical access to a restricted workstation, logged in with a root password, and planted a time bomb that deleted all files on three company servers days later. Two days following recovery, the servers were sabotaged again in the same manner, and recovery consultants discovered a destructive script on three of the company’s file servers that was scheduled to run at 3 a.m. every Wednesday. During the investigation, the company learned that the insider had discovered a backdoor on 20 restricted workstations where he could gain root access.

BEST PRACTICES

Based on the case study, CERT recommends proactive strategies that can be implemented by all company personnel to mitigate insider threats, which include information security and human resources best practices such as:

  • Monitoring to ensure system access is disabled timely and completely following an employee termination.
  • Establishing formal grievance procedures as an outlet for insider complaints.
  • Creating a reporting process when a colleague notices or suspects concerning behavior.
  • Enforcing comprehensive password policies and computer account management practices.
  • Using configuration management practices to detect logic bombs and malicious code.
  • Monitoring system log activity.
  • Establishing and monitoring procedural and technical controls for system administrator and privileged system functions.
  • Providing layered security for remote access.
  • Monitoring compliance with backup procedures and testing recovery processes.
  • Ensuring procedures are in place to disable temporary employee and contractor access as thoroughly as that of permanent employees.

The study also suggests organizations should recognize employees sometimes share their passwords with coworkers for convenience, knowing it is a violation of policy. To be safe, companies should remind coworkers of a departed employee to change their passwords if there is the slightest chance they may have shared a password with the employee. A termination checklist also should be used to ensure procedures are in place to terminate physical access to the facility, as well as, notify the guard station or reception area of the employee’s termination or resignation.

The complete report is available for download from CERT’s Web site,www.cert.org/archive/pdf/insidercross051105.pdf. Established in 1988, the CERT Center provides Internet security expertise through a federally funded research and development center operated by the Software Engineering Institute at Carnegie Mellon University.

This article was originally published in ITAudit, Vol. 8, June 15, 2005, published by The Institute of Internal Auditors Inc. Seewww.theiia.org/itaudit.